Welcome to Incremental Social! Learn more about this project here!
Check out lemmyverse to find more communities to join from here!

Pete90

@Pete90@feddit.de

This profile is from a federated server and may be incomplete. Browse more on the original instance.

Pete90 ,

I agree, but most games also have a higher ratio of value to cost. If I buy a game for 50 bucks, I'll play it for many hours, let's say 50. So that will be 1 per hour, pretty good. If I buy a new movie, that isn't available for subscription streaming, that ratio is easily double. If I have a subscription and need another now, that also lowers it's value. It also comes with lower comfort and ease of consumption, as you mentioned.

Another great example is YouTube premium. I'll gladly pay 5 or 7 bucks for adfree content, not 14 though. I don't need YouTube music. So I block ads where I can and donate to creators, if I can afford it. They could have had my money, but they are, simply, greedy.

I also hate it, when deals are altered without my consent. It makes me feel like a sucker, and therefore makes it less likely for me to keep investing.

What's your server wattage?

I'm in the process of wiring a home before moving in and getting excited about running 10g from my server to the computer. Then I see 25g gear isn't that much more expensive so I might was well run at least one fiber line. But what kind of three node ceph monster will it take to make use of any of this bandwidth (plus run all my...

Pete90 ,

You most likely won't utilize these speeds in a home lab, but I understand why you want them. I do too. I settled for 2.5GBit because that was a sweet spot in terms of speed, cost and power draw. In total, I idle at about 60W for following systems:

  • Lenovo M90q (i7 10700, 32GB, 3 x 1 TB SSD) running Proxmox, 15W idle
  • Custom NAS (Ryzen 2400G, 16GB, 4x12TB HDD)v running Truenas (30W idle)
  • Firewall (N5105, 8GB) running OPNsense (8W idle)
  • FritzBox 6660 Cable, which functions as a glorified access point, 10W idle
Pete90 ,

Weird, isn't it. A lot of those successful services have cute little mascots. It influences me more than it should.

Pete90 ,

I know exactly what you mean. I'd also prefer Debian, Mint or Fedora. Each has its weaknesses, but you got to start somewhere. Go for it, then decide for yourself. It's not that hard to switch again.

Pete90 ,

I'd be very careful to publicly host Jellyfin. Although not necessarily true, it basically advertises that you're pirating content while also giving out your IP. Even if you rip your own media, this can still be illegal. Please be careful.

Maybe you can put it behind some authentication or, even better, a VPN.

Pete90 ,

From what I found, Lemmy is much better in this regard. I've gotten lots of helpful answers here, so give it a go! There is also a ton of tutorials on YouTube, I recommend something like this for beginners.

Pete90 ,

From what I found, Lemmy is much better in this regard. I've gotten lots of helpful answers here, so give it a go! There is also a ton of tutorials on YouTube, I recommend something like this for beginners.

Pete90 ,

From what I found, Lemmy is much better in this regard. I've gotten lots of helpful answers here, so give it a go! There is also a ton of tutorials on YouTube, I recommend something like this for beginners.

Pete90 OP ,

Yeah, that seems to be the case. I'll be on the lookout for official refurbished drives, thanks for your input!

Pete90 OP ,

I didn't even think to look at Amazon, but for 12TB, that is an okay to good price. Too bad the 4TB is inappropriately expensive...

Pete90 OP ,

There is quite a price difference, at least here in Germany. It easily be double, if not more... I'd love to use SSDs, but can't afford them right now

Pete90 OP ,

I've had great success with used drives so far, mind you I only buy slightly used with lots of remaining warranty... Saved me tons.

Pete90 OP ,

I'd be scared to be ripped off in a lot. Do they show drive stats before sale?

Pete90 OP ,

Hej. I need all of that data. And those movies too. But yeah, seems to be the case. Weird, that people buy those drives, when 12tb aren't that much more expensive. We'll, but here I am but only because I had an old but okay 4TB drive lying around.

Pete90 OP ,

Good to know I'm not the only one!

Pete90 OP ,

Proxmox eats consumer grade SSDs (at least that's what people are talking about)

Pete90 OP ,

Thank you for your offer, but these are too old for what I want to do with them. Cheers!

Pete90 ,

Cool idea. Just be aware, that there are a lot of shady people out there. I'm not sure I would publicly host services, which rely on tight security (like Vaultwarden). They will come and they will probe your system and it's security!

You might also want to remove Dockge from Uptime Kuma, no need to broadcast that publicly.

Pete90 , (edited )

Let me know if you need any help with that. I'm still a beginner, but have used the last few months to learn about cyber security. It can be a daunting subject, but if you get the basics right, you're probably good. I also hosted without a care for years and was never hacked, but it can/will happen. Here are some pointers!

Get or use a firewall. Iptables, UFW and such are probably good enough. I myself use OPNsense. It can be integrated with Crowdsec, a popular intrusion prevention system. This can be quite a rabbit whole. In the end, you should be able to control who goes where in your network.

Restrict ssh access or don't allow it at all via internet. Close port 22 and use a VPN, if needed. Don't allow root access via Ssh, use sudo. Use keys and passphrase login for best security.

Update your stuff regularly. Weekly or bi-weekly, if you can.

Use two factor authentication, where possible. It can be a bit annoying, but improves things dramatically. Long passwords help to, I use random-word-other-word combinations.

If you haven't, think of a backup strategy. 3 redundant copys on 2 media, one off site.

Pete90 ,

I did, and it was fast. I was a complete noob, so I thought rm -rf /* would delete everything in the current folder. I hit Ctrl + C, but it was too late. Took a few seconds to wipe out the whole system.

Pete90 OP ,

Each service stack (e.g. media, iso downloading) has it's own network and traefik is in each of those networks as well. It works and seperates the stacks from each other (i don't want stack a to be able to access stack b, which would be the case with a single traefik network, I think.)

Pete90 OP ,

That's a great idea, I'll give it a try tomorrow. The weird thing is, the webuis load just fine, at least 90+ of the time is almost instant...

Pete90 OP ,

Thank you for your answer. If I do that, can I still connect via HTTP and the browser will then redirect? I don't think I have a problem with remembering HTTPs, but my family will...

Pete90 OP ,

Thank you so much for your thorough answer, this is very much a topic that needs some reading/watching for me. I've checked and I already use all of those headers. So in the end, from a security standpoint, not even having port 80 open would be best. Then, no one could connect unencrypted. I'll just have to drill into my family to just use HTTPS if they have any problems.

It was interesting to see, how the hole process between browser and server works, thanks for clearing that up for me!

Pete90 OP ,

I did what you suggested and reduced (1) the number of running services to a minimum and (2) the networks traefik is a member of to a minmum. It didn't change a thing. Then I opened a private browser window and saw much faster loading times. Great. I then set everything back and refreshed the private browser window: still fast. Okay. Guess it's not Traefik after all. The final nail in the coffin for my theory: I uses two traefik instances. Homepage still loads its widgets left to right, top to bottom (the order from the yaml file). The order doesn't correspond to the instances, it's more or less random. So I'm assuming the slowdown has something to do with (a) either caching from traefik or (b) the way Homepage handels the API request: http://IP:PORT (fast) or https://subdomain.domain.de. Anyway, thanks for your help!

Pete90 OP ,

Thanks, I'll let you know, once/if I figure it out!

Pete90 ,

Awesome, I'm just getting into restic!

Pete90 ,

Great setup! Be careful with the SSD though, Proxmox likes to eat those for fun with all those small but numerous writes. A used, small capacity enterprise SSD can be had for cheap.

Pete90 ,

I tried this. Put a DNS override for Google.com for one but not the other Adguard instance. Then did a DNS lookup and the answer (ip) changed randomly form the correct one to the one I used for the override.
I'm assuming the same goes for the scenario with the l public DNS as well. In any case, the response delay should be similar, since the local pi hole instance has to contact the upstream DNS server anyway.

Feedback on Network Design and Proxmox VM Isolation (feddit.de)

Network design. I started my homelab / selfhost journey about a year ago. Network design was the topic that scared me most. To challenge myself, and to learn about it, I bought myself a decent firewall box with 4 x 2.5G NICs. I installed OPNsense on it, following various guides. I setup my 3 LAN ports as a network bridge to...

Pete90 OP ,

Thank you so much for your kind words, very encouraging. I like to do some research along my tinkering, and I like to challenge myself. I don't even work in the field, but I find it fascinating.

The ZTA is/was basically what I was aiming for. With all those replies, I'm not so sure if it is really needed. I have a NAS with my private files, a nextcloud with the same. The only really critical thing will be my Vaultwarden instance, to which I want to migrate from my current KeePass setup.
And this got me thinking, on how to secure things properly.

I mostly found it easy to learn things when it comes to networking, if I disable all trafic and then watch the OPNsense logs. Oh, my PC uses this and this port to print on this interface. Cool, I'll add that. My server needs access to the SMB port on my NAS, added. I followed this logic through, which in total got me around 25-30 firewall rules making heavy use of aliases and a handfull of floating rules.

My goal is to have the control for my networking on my OPNsense box. There, I can easily log in, watch the live log and figure out, what to allow and what not. And it's damn satisfying to see things being blocked. No more unknown probes on my nextcloud instance (or much reduced).

The question I still haven't answered to my satisfaction is, if I build a strict ZTA or fall back to a more relaxed approach like you outlined with your VMs. You seem knowledgable. What would you do, for a basic homelab setup (Nextcloud, Jellyfin, Vaultwarden and such)?

Pete90 OP ,

Only Nextcloud if externally available so far, maybe I'll add Vaultwarden in the future.

I would like to use a VPN, but my family is not tech literate enough for this to work reliably.

I want to protect these public facing services by using an isolated Traefik instance in conjunction with Cloudflare and Crowdsec.

Pete90 OP ,

Sounds like I'll do just that, thanks. Should I move all public facing services to that DMZ or is it enough to just isolate Traefik?

Pete90 OP ,

I see, thanks for clearing that up.

Pete90 OP ,

Thank you so much for this explanation. I am just a beginner, so those horror stories did scare me a bit. I also read, that you can fine tune ZFS to prevent write amplification so I'll read into that subject a bit more.

I thought ZFS without redundancy did give no benefits, but I most have gotten that wrong. Thanks again!

  • All
  • Subscribed
  • Moderated
  • Favorites
  • random
  • incremental_games
  • meta
  • All magazines
    •